Search

Subscribe

Fingerprint-Lock Failure in a Prison

Prison officers have been forced to abandon a new security system and return to the use of keys after the cutting-edge technology repeatedly failed.

The system, which is thought to have cost over £3 million, used fingerprint recognition to activate the locking system at the high-security Glenochil Prison near Tullibody, Clackmannanshire.

After typing in a PIN code, prison officers had to place their finger on a piece of glass. Once the print was recognised, they could then lock and unlock prison doors.

However, problems arose after a prisoner demonstrated to wardens that he could get through the system at will. Other prisoners had been doing the same for some time.

Unfortunately, the article doesn't say how the prisoners hacked the system. Perhaps they lifed fingerprints off readers with transparent tape. Or perhaps the valid latent fingerprints left on the readers by wardens could be activated somehow.

I would really like some more details here. Does it really make sense to have a tokenless access system in a prison? I don't know enough to answer that question.

Comments

It would seem that a token-based system would make much more sense, when you understand that there are a lot of criminals that would happily remove a finger from an unconscious or restrained guard to activate a tokenless system, whereas being able to remove a key from his belt loop gives the guard a better safety margin.

Is possible to install fingerprint sensors able to detect live fingerprints.
Opticall scanners is not a good choice for a Prisson, some other type of biometric device like retina scanners, hand geometry, or fluorodiscent polymers fingerprints readers seem more secure.

In this case you can not leave biometrics alone, a multi modal biometrics, or a combination of biometric and tokens is more safe. The FAR (False Aceptance Rate) of fingerprint are not appropiate for this type of application, so is not recomendable to put a tokenless access system.

I suspect there is a very bad design in this case. I'm biometric integrator, if you ask me, I wouldn't accepted this project.

The basic scheme is to image the right index fingertip, then to reduce the complex pattern to a code, and then to check the code for a match with the code on file. If the coding scheme is simplistic enough, then there will be many fingertips which will reduce to the same code.

An analogy is a hash as is used in password verification. Suppose the scheme used a one-byte hash. A huge number of passwords would yield the same hash, making it insecure.

Back to that index fingertip as the pattern for the key to unlock locks: Check your hands and you'll find nine other fingertips which potentially may unlock locks your index fingertip will not.

I purchased a fancy Shepherd fingerprint lock for my company office, primarily because of the advertised 1 in 100,000 false positive rate.

The lock looked impressive, and everyone was happy with it for a while, until one day I had my hand busy and decided to try a finger from my other hand; to my surprise, it worked. Then I tried a toe. That worked too. I was amused. I then had everyone but myself deregistered, yet everyone was able to get in when they tried.

After some investigation I found that the company is basically fradulent: their locks have 5 "security settings", from 0 to 5. At zero, which is the default, the false accept rate is about 50%. At 5, the false reject rate is about 95% -- at this setting, even with multiple fingers registered, none of us could get in with fewer than 20 presentations of a finger to the system. It doesn't seem to construct any kind of invariant representation of your fingerprint; it seemingly just matches images, which means that the slightest rotations/translations will cause it to fail at the most "secure" setting. So much for the advertised accuracy.

If you see this brand of lock anywhere, there is a good chance it's still at the default security level of 0.

With the HandKeyII system, which is much more secure, I was able to get in by presenting my other hand, inverted (apparently, my hands are symmetrical enough). I wasn't able to get in with a paper cutout -- perhaps the fingers on the cutout were fatter, or maybe HandKey takes thickness into account. So HandKeyII is much better.

Ok, I sent it via email. I tried removing single and double quotes, forward slashes...taking out the URLs gave me an "access denied" error so I was starting to get somewhere when I ran out of time trying to brute-force the filter.

A lot of interesting points in this story.:
* Informers are still are valuable asset in prison security.
* Trying this out in a prison is an excellent idea. You get to see what attacks experienced criminals will think up when they've got plenty of time on their hands. Alas, the system operators don't seem to have bothered to monitor the units to record this valuable information...
* Someone spent £3 million on this system without stopping to think about the design. How sensible is it to use a fingerprint as an authentication token in a prison environment where the warders constantly have to handle things, and are surrounded by -- indeed outnumbered by -- opponents who have probably been prosecuted on the basis of fingerprints they accidentally left somewhere?
* However, they got one thing right; this was a two factor system, with a PIN as well as a fingerprint reader. It would be interesting to know how the prisoners circumvented that. Keypads visible whilst in use? Tracing agents on buttons? Insecure wiring? PIN shared by multiple officers, at least one of whom could be bribed? Divide-and-conquer on the two factors, with too many trials permitted against the PIN? There are lots of well known failure modes, but it would be interesting to see if the prisoners came up with something new or if the implementers just cocked it up.

The 4 digit PIN could have been made very effective by using commericialy available pads that when activated scramble the location of the digits every time. They also come with a prismatic lens cover on them which makes it almost impossible to read unless you are right in front of them. A benefit of this in a prison is that the key pad would not have to be deeply recessed to keep prying eyes out.

I have been in systems where these pads are in use and they are highly effective and in the long run cost efficient.

Best guess: the system was known to be unreliable to the point that a "backdoor" PIN was enabled in the event that the fingerprint scan failed. Once that PIN was observed, the system could be compromised at will.

Just a little problem, it is known in the UK that prisoners can cut a physical key (that works) just from watching a prison warder open a door. In fact prison warders used to be trained in how to hold and use their keys to prevent this sort of problem (because the cost of replacing 100 or so high sec keys and the lock is very high).

The trouble with a keypad is that it is very very difficult to sheild it effectivly when in use in a hostile environment. Even if the finger movments are not seen the arm movments may well give sufficient information to a prisinor. When combined with a light dusting of talc or other fine powder will show which keys are in use. Even the system described by Dale Underwood above is not going to remain secure for long with inventive inmates with time on their hands.

So unless the prison warder memorizes a "one time" list of numbers they will still need a token of some kind...

I suspect the best solution would be for a secure door bell and a camera in an appropriate position whereby a warden in a control center can visualy verify the gaurd. The door bell needs some security in order to avoide nusance DoS type attacks by the inmates, an RFID in a ring or uniform button or such like would probably surfice.

Sometimes "physical security" can be harder than "electronic security".

My mind is like an empty room. I've just been sitting around waiting for something to happen, but what can I say? So it goes. I've just been letting everything pass me by , but shrug. That's how it is.

On the subject of PIN number locks... I worked for two and a half years in an office where the post room was on a "public" corridor in the shared building.
All of us had to carry pass badges to get in and out of our office, but this post room was secured by a number pad and a 4-digit PIN number (1406, so you can tell if it's the same one).

However, in the two and half years I worked there, the keypad was never cleaned, so the 4 used buttons had a delightful halo of sweat and dirt surrounding them... narrowing it down to 24 possibilities. Kind of defeated the object... and I could never understand why they didn't just extend the badge lock system to that door.

I didn't think to check the brand name, but I went to Universal Studios last weekend where at least one of the rides has lockers outside because the ride (The Mummy) is violent enough that you can't take bags in with you. There were several banks of lockers , each bank had a small screen/console where you get access to a locker. There were two different methods you could use. First it asked you to place your finger on a scanner, then repeat. I tried that about six times, but it said it could not verify my fingerprint, so it fell back to using a passcode you got to choose.

I didn't have anything valuable in my bag, otherwise I would have just skipped the ride, because I was not very impressed with the system. The only thing I did like was that the passcode was six digits long, rather than the usual four. But the keypad was in plain site with no way to really hide what you were typing in.

I think we will eventually look back and wonder about the use of the term 'fingerprint' to represent certainty.

I have found many fingerprint readers fairly flawed for reliable logins and they seem to be so non-trivial to get working properly that I am really curious how momentum continues to build and justify implementations. I hate to say it but it's almost as if some people want the promise of biometrics so badly, that they're willing to sign-off the first thing that sounds good-enough to believe.

It doesn't help matters that NIST announced in January 2005 'only fingerprints offer the combination of reliability, open standards and interoperability among products of different manufacturers necessary to the [Personal Identity Verification] standard'.

After a review of the data, however, it looks to me like they go high on the bar for open standards, ease of use, cost and interoperability and make a number of exceptions in order to get over the bar for reliability.

The report shows single-finger accuracy is 98.6, two-finger accuracy is 99.6, and four or more fingers can reach 99.9 percent accuracy (on the best systems that are in a clean environment). I find these numbers are actually discouraging, but maybe I expect too much from a biometric security control.

There isn't much data available on the exact system in the prison (for obvious reasons), but a prison expansion was ordered in 2003 for this prison and also the Saughton Prison in Edinburgh (the other facility mentioned in this article). Those two projects apparently were done by Skanska, TPS Consult, Haden Youngas, and PCSL.

TPS Consult might be the place to explain more of what was expected out of the system:

Incidentally, I noted the use of hand readers (to detect the presence of illicit substances on visitors) at some prisons in Scotland. Makes me wonder why they used simple fingerprint instead of more advanced and accurate hand-geometry readers for the prisoners. Cost?

I also noted that prisons almost always try to have more than one control in place as a fail-safe measure. The fact that a prisoner actually had to alert the prison to the failure of this control means the overall security design must have been seriously flawed at a higher level. For example, how did prisoners also figure out the PINs?

It is easy, and right, to blame the lock system for a major failure, but it shouldn't stop there. A setting such as this is one of the areas where the value of cameras moves beyond the forensic. Were there not cameras in place which would have detected inmates passing out of a restricted area? Did nobody monitor those images? The prison's failure to detect the free movement of prisoners is indicative of a massive failure of security systems throughout the prison. It is not hard, therefore, to belive that the clearly flawed installation was but a small part of the problem, specified and authorized by individuals lacking a security mindset. A poor mechanic blames his tools; if the lock system had worked as designed, the security at the prison would still have been flawed.

After reading through these posts, I have to wonder, are the problems described here with generally using fingerprints as a biometric authentication a bad thiing, or are we just seeing a bunch of crap technology, charlatan vendors, and snake-oil solutions.

A number of years ago I read a paper on biometric technologies that discussed fingerprint scanner techniques (unfortunately I can't find this paper just now). There were many techniques presented, with things like subcutaneous scanning of the finger via infrared (lasers?) to determine if blood is flowing in the finger's blood vessels (to detect "dead fingers", "gummy fingers", etc.). The paper presented these as viable technologies for the "near" future then, which would now be "In the past". Where are the fingerprint scanners with these technologies?

I think we will eventually look back and wonder about the use of the term 'fingerprint' to represent certainty.

I have found many fingerprint readers fairly flawed for reliable logins and they seem to be so non-trivial to get working properly that I am really curious how momentum continues to build and justify implementations. I hate to say it but it's almost as if some people want the promise of biometrics so badly, that they're willing to sign-off the first thing that sounds good-enough to believe.

It doesn't help matters that NIST announced in January 2005 'only fingerprints offer the combination of reliability, open standards and interoperability among products of different manufacturers necessary to the [Personal Identity Verification] standard'.

After a review of the data, however, it looks to me like they go high on the bar for open standards, ease of use, cost and interoperability and make a number of exceptions in order to get over the bar for reliability.

The report shows single-finger accuracy is 98.6, two-finger accuracy is 99.6, and four or more fingers can reach 99.9 percent accuracy (on the best systems that are in a clean environment). I find these numbers are actually discouraging, but maybe I expect too much from a biometric security control.

There isn't much data available on the exact system in the prison (for obvious reasons), but a prison expansion was ordered in 2003 for this prison and also the Saughton Prison in Edinburgh (the other facility mentioned in this article). Those two projects apparently were done by Skanska, TPS Consult, Haden Youngas, and PCSL.

TPS Consult might be the place to explain more of what was expected out of the system:

Incidentally, I noted the use of hand readers (to detect the presence of illicit substances on visitors) at some prisons in Scotland. Makes me wonder why they used simple fingerprint instead of more advanced and accurate hand-geometry readers for the prisoners. Cost?

I also noted that prisons almost always try to have more than one control in place as a fail-safe measure. The fact that a prisoner actually had to alert the prison to the failure of this control means the overall security design must have been seriously flawed at a higher level. How did prisoner's also figure out the PINs, for example.

I would be at least as concerned by the failures of the system certification / acceptance process as by the facts of the case itself.

Who signed off on the test plan? Were any useful tests actually carried out?

As for fingerprints as a means of identification, we must remain careful about what we claim to know, as a particular U.S. lawyer can attest after being misidentified as a member of the plot in the Madrid bombings.http://www.latent-prints.com/Mayfield%20Reuters.htm

"... are we just seeing a bunch of crap technology, charlatan vendors, and snake-oil solutions."

In my (limited) experience there are a lot of snake oil vendors in the biometrics field. Or at least, rather stringy mutton dressed up as lamb. I think it became something of a fad about 7 to 10 years ago, a lot of money was invested, they got very excited after 11th September 2001, and now they are desperate to get the returns they saw hyped. At any rate, a lot of vendors seem to egregiously exaggerate the capabilities of their systems. I saw one set of figures where the independently tested FAR was over 100 times worse than the manufacturer's claimed FAR under the same conditions, and another system being proposed for a large scale financial application which may have had an EER of about 10%! Unfortunately, independently verified statistics are rarely available. Most of the independent data available comes from medium scale government run "pilot programs" where, in _every_ such case I can find, the programs was soon abandoned when it became apparent that the actual performance of the system in the real world was completely useless e.g. the US facial recognition tests at airports which had a FRR of 50% at a FAR of 1% (1 in every 100 persons falsely accused of being a "known terrorist", while 50% of "known terrorists" slipped quietly by!)

In my inexpert opinion after a fairly extensive literature survey, there are quite a few systems available now which are suitable for low security applications, if you thoroughly understand their properties and deploy them carefully. However there are still very few systems which are suitable for medium to high security applications.

Iris codes are probably acceptable for medium security applications. They have a genuinely excellent EER, good reliability in marginal conditions, and acceptably low failure to enrol (although so far there seems to have been only one large scale test). The main problem keeping it out of "high security" in my mind is that it is far too easy to photograph someone's iris with the necessary resolution to spoof a scanner. Scanners are being built which allegedly have the ability to ascertain that the iris image is mounted behind a real eye lens but a) I wouldn't trust them until they have shown resistance to a concerted hostile attack and b) anyway at the butcher's shop you can get real eye lenses for the asking.

For high security applications, the only acceptable solutions at present appear to be retinal scanners and DNA analysis. Of course at present DNA analysis cannot be done in real time so it is useless for access control. Retinal scanners can have extremely good FAR (c. 1 error per million scans -- although at FRR around 5 ~ 10%, which is only acceptable in high security applications) and _appear_ to be the hardest biometric data to steal or spoof. However the other disadvantages are such that very few vendors are currently producing them. They are much more expensive than many other biometric systems (c. $2500), have a relatively high failure-to-enrol rate (c. 10%), and some people find them physically painful to use. Scans are also rather slower than many other systems which could be a problem in high traffic areas.

A lot of the published biometrics research at present is steered towards simply getting acceptable failure rates out of the bloody things, through such things as multi-modal systems (intelligently weighted decisions from scanning multiple biometrics, e.g. fingerprint + voice). Very little seems to be looking at resistance to deliberate spoofing. Perhaps one day they'll start to concentrate on security once that get them to at least work...

Oh, and another big issue if you're thinking of implementing one of these systems: a lot of vendors in the industry don't seem to stay in business very long.

"to detect "dead fingers", "gummy fingers", etc."

Some such systems are on the market, but there seems to have been very little independent testing, and anecdotal evidence is that they significantly increase failure rates for real fingers while being far from foolproof against fakes. Can't be bothered looking up the references, but someone (possibly the original author) did try "gummy fingers" against one reader that supposedly had "live finger verification" and found the gummy finger fooled it completely; the sensor was happy to detect the "liveness" of the finger the cast was mounted on, whilst reading the ridge pattern of the cast.

In a prison, one real worry would be the existance of any false negatives. It is easy to conceive of lots of situations where a guard absolutely must get through a door quickly and failure to read a print (dirty or bloody hand?) could be fatal.

Regarding biometric authentication systems, I don't see how the use of DNA or simple finger scanning can work. Perhaps I have not read enough about it, but it would seem that any type of biometric system that does not verify "presence" would be worthless. That is, any type of biometric authentication device that only tests for data that can be "left behind" (fingerprints, DNA, etc.), can't possible work.

And isn't that the whole point of a "biometric" authentication device. To not only examine presented data (i.e. finger ridges, retinal maps, etc.) but in the process to also verify that the person this data belongs to is also present? It seems that a lot of systems that are being passed off as "biometric" aren't actually checking the last part, that the person is actually there.

For example, a fingerprint scanner that doesn't verify a "live" presence by checking for things like subcutaneous activity (i.e. blood flowing in vessels "behind" the finger ridges presented), would be way too easy to spoof. People leave fingerprints everywhere they go, which can easily be picked up by anyone and "reused" in simple scanners (eg. gummy finger). While a fingerprint scanning system that checks subcutaneous activity could perhaps be fooled (via plastic surgery?), it would require a very determined attacker. In this case, a fingerprint itself is not actually a biometric, a "biometric" is verifying the fingerprint and the person it belongs to.

The same goes for DNA (assuming technology evolves to make this real time). Unless the authentication device is actually performing a _verifiable_ "live" DNA extraction (swabbing?, blood samples?), it would seem to be way too easy to fool a scanner by simply presenting someone else's DNA (which was "left behind" by them).

Besides the subcutaneous fingerprint scanner, another biometric device I read about that seemed to have lots of potential was that of handwritten signatures where the scanner examines multiple points beyond just the signature image, like pen pressure, speed, etc. This seems like a true biometric device (unlike the simple image capture devices in many stores today), able to verify an individual's presence, and would likely be very hard to spoof (an attacker might be able to get the image part, but the pen pressure, speed, etc. would again take a very determined attacker to fool the scanner).

Even live-extraction DNA sampling could fail to pass when it should pass and could pass when it shouldn't. The DNA would not be collected, it would be presented, by me.

How would my DNA be presented? I pull out a head hair or an eyelash, or prick my fingertip for a drop of blood? The bulb of the hair may have no usable DNA, meaning I would be wrongly denied entry. Gunk on my fingertip could confound the blood sample, again wrongly denying me entry.

At the same time, a good dip (pickpocket) could probably snare some of my hair follicles in a bump and snatch to pass himself off as me. And with modern hypodermic needles as sharp as they are now, I might fail to notice a momentary jab.

To make live extraction verifiable it would take a human operator personally trained by James Randi.

I went to Universal Studios and put my stuff in one of those lockers, when i came back my stuff was gone.. one of the team members opened my locker to someone else.. i lost over $2000 worth of stuff and my vacation was ruined...

I can't claim to have investigated them in sufficient detail to give you advice on such an important matter. Hower, the quoted FAR and FRRs look more than good enough for the application; TOO good, in fact. To the best of my knowledge no fingerprint reader has ever been independently assessed as having performance even in the ballpark of this (FAR of < 1 in a million whilst giving FRR of < 1 in 10,000. That's better than $3000 retina scanners).

So, if I were you I would try to find out the source of this data, and obtain independent assessments if possible (most likely, they won't be available).

Also, if you get the opportunity to see a demo, try some of the tricks which often defeat fingerprint readers (e.g. breathe on the sensor plate to bring out the latent print after a correct entry has been received, place a small bag of warm water on the sensor plate). Try each trick at least several times.

Finally, I think you should do a careful risk analysis of why you want one of these locks. I don't think it can be security alone; for the same price (most of them $500 or $600!) you can get a very formidable mechanical lock, reinforce the door hardware, add a monitored alarm system, and pay for the first year's worth of monitoring!

If the issue is that you keep forgetting your keys, the solution may be as simple as finding a neighbour you trust to keep a spare copy. Or you could consider a keypad lock; like fingerprint readers, they are more conspicuous than mechanical locks, and they are slightly more expensive than mechanical locks of roughly equivalent security, but you can get a pretty good electronic keypad lock for under $200.

I own one of the ADEL finger locks (slightly different model with the same specs.) The FRR maybe correct. When my fingers get slightly cracked I can't hardly gain access. I have to use another finger that is not cracked (I have registered 6 of my fingers to get around this issue.) I don't have large hands for a man but my fingers are as wide as the reader. I purchaed this for my son to have access to the house with no key and with his small fingers the FAR is correct. When he correctly puts his finger on the pad it work 100% of the time. I think it can use the outline of his finger to rotate the scan to the stored image.

My finger when not crack have to by placed on the sensor just about exactly the way they were memorized. Also I have to use my shirt to wipe the glass every few weeks to remove the grime.

The features are great (9V battery emergency power incase the internall AA batteries fail. (Can leave a 9V battery in the garge just in case.) You have to enter a 4 digit code before the scanner will enable (as accurate as this unit is I wish I could disable that function).

I have brought a ADEL model fingerprint locks and have used it for 34months without any problems on accessing to my permises and now all my apartment and office have been install with the locks and have not received any compliant from my tenant or workers using it every day

As a security consulatant, one of the first things that you learn is that nothing is fullproof eventualy someone will will find a a way to beat any system. The only way the reduce the odds of this happening is to ensure that the system configuration including passwords, codes, access tags etc are changed regularily. In addition any security system should have a minimium of 3 levels of security all inter-reactive. The weakest element of any system is the human one as this can be comprimised at many levels. The only true solution is total random matrices of codes on a daily basis. This could be done in a similar fashion as used by a well known on line payment system which requires a request code sent first to a reciever then a matching code is found and opens the door, however the next time the tag is used a different random code is sent so it can never be comprimised. Too often institutions want the best systems with minimium levels of staff to manage it to reduce costs which in the costs more mony due to system failures and fruad the more people that are involved helps to reduce compromise.

I would like to install a door lock to my house that my daughter can use. The problem is that she is with my ex-wife much of the time and my (mentally challenged) daughter is incapable of keeping secrets from her mother ...who is a borderline-personality disordered woman would undoubtedly "borrow" or copy any key I give my daughter (to steal, snoop).
I've considered biometric locks, video surveillance. I do not want to spend thousands, but I will spend hundreds. Any suggestions would be greatly appreciated. Thanks.

A good test for these would be to make something prisoners want (bottles of beer?) available to them if they break or fool such a system. When the beer is safe one could consider moving on to something more valuable.

There are many problems with fingerprint readers. One of the main flaws is that you leave the key around everywhere when you are touching things.

Another problem is (for door locks and the like): it's an electronic device trying to control a physical lock. At some point the device needs to make something physical move - likely via a relay or something like that. This interface from electronic to physical is an easy target - e.g. you need to protect the wire going to the relay physically (so someone can't just short it), and you need to protect the relay against manipulation via an external magnet.

interesting comments on this entry...
i have a dell which came with a FP reader installed, the first time i registered it took forever because my hands were sweaty, and even after i improved the prints i had stored it is still a hit and miss situation whenever i use it. i would never rely on a device like this to protect my computer, or my home. passwords that change regularly are more effective in my opinion.
(although i do know a guy at school who can pull passwords off a computer with a usb device or wirelessly, so depending on who you are guarding your computer from, NOTHING is safe. lol)
i would say, write all your personal docs in a unique language only you know, change your password whenever it becomes ingrained or anyone else has a chance to see it, and most importantly don't record or send anything using any method if you don't want someone to find it.